Facebook was able to avoid what could have been an embarrassing privacy ordeal with a messaging feature it built for New Year’s Day.
The Menlo Park, Calif.-based social network recently introduced a new feature for its desktop site that allows users to pre-write messages for their friends that get sent out as soon as 2013 arrives at the stroke of midnight.
Nice concept, but the feature had a fatal flaw: The messages weren’t private.
British blogger Jack Jenkins discovered and reported the problem with the “New Year’s Midnight Delivery” feature on Sunday. Jenkins wrote that users could alter the feature’s URL ID with random letters and numbers to stumble on other users’ messages, some of which contained photos.
“It shouldn’t be possible to do this, as these are not generic and are people’s personal images,” Jenkins wrote.
Jenkins said it wasn’t possible to see who sent the messages, but he was able to see who the recipients were. What’s worse, he said that it appeared that he could randomly delete users’ messages if he wished.
After the flaw was revealed, Facebook took down the feature, according to Jenkins’ time stamps.
“We are working on a fix for this issue now, and in the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed,” Facebook told the Next Web.
The service was fixed and put back online early Monday morning, but unfortunately for users in some parts of the world, including New Zealand, New Year’s arrived before the feature was back online.